Does anyone know why desktop software prioritizes apps that automatically download and installs a program instead of the old fashion download an executable? Is it a security issue? I'm not used to downloading a program whose only purpose is to download the actual program that I want. For example, Adobe flash and Firefox both use downloaders instead of the actual exe.

Also: the download step is the first chance people have to *fail* at installing something, and the longer it takes to download, the higher the chance they'll just abandon it or otherwise not get to the "click to install" step.

By making the original download super small, you maximize the chance that people will start the install. Then you can finish the rest of the download+install on your own, where the only failure route is someone manually cancelling the install or turning off the computer.

sardia wrote:Does anyone know why desktop software prioritizes apps that automatically download & installs a program instead of the old fashion download an executable? Is it a security issue? I'm not used to downloading a program whose only purpose is to download the actual program that I want. For example, Adobe flash & Firefox both use downloaders instead of the actual exe.

Method 1 - person downloads installer for latest build. Author has to make sure they actually update the latest build. Person needs to recheck frequently for patches and updates. Obvious security flaws as users are prone to not update. Requires a lot of bandwidth in spikes, requires the updates be in "Everything from 1.0 to current (12.6.68.6)" to minimize user error - not always possible, naturally.

Method 2 - person downloads installer for more or less the latest build and auto-updater finishes the rest. Author still needs to periodically update the installer so the updates aren't larger than the initial install. Requires large badwith spikes for initial download, larger than the installation files needed, trickle later.

Method 3 - download streaming install, dumps from /latest_working/ folder, gets user most current version with minimal fuss, large bandwidth spike but only if necessary files, trickle later.

But most people who do Method 3 also have a full version too. Look for the Network Distributable version. It's marketed to Sysadmins wanting to push a file to a network of 10,000 Machines with only one download from the author's site.

heuristically_alone wrote:I want to write a DnD campaign and play it by myself and DM it myself.

heuristically_alone wrote:I have been informed that this is called writing a book.

Working in software (business stuff), I can confirm that that basically never happens. Partly because of deadline pressure, but also because complexity is a real thing.

Modern software (of non-trivial size) cannot be thoroughly understood by a single person, never mind all the environments that it might be run in. There will always be bugs, oversights, undocumented "features", and just plain stuff-that-no-one-thought-of. Good developers can avoid a ton of stuff, and good testers can weed out even more, but perfection in anything other than a toy program is just not possible. Machine quirks, network crap, OS stuff, browser shit, co-installed gack... let's add in increasingly complex development tools/IDEs just for fun, and all the features that management force in at the last minute for all the reasons.

For Firefox: That must just be on Windows and/or Linux. On Mac, it's a .dmg that just contains Firefox directly, no installer required (though there's also an auto-update program for updates that uses the internet).

Method 4: let repository maintainers distribute their own packages and use a package manager to deal with installation. Unfortunately, that's rarely an option with proprietary software, though. Still, having one program that can automatically fetch and install any of several thousand pieces of software with minimal effort was one of the biggest eye-openers when I used Linux for the first time. I'm surprised package managers for Windows still aren't very ubiquitous.

In any case, I guess an online installer sort of makes sense for the average use case on desktop systems today. People tend to have unlimited internet access and usually only want to install something on one device. The arguments people have raised above all hold now. In the days of dial-up, where you had more limited access to internet and were more likely to share something you downloaded through sneakernet, offline installers were a much saner choice.

SecondTalon wrote:In a Corporate environment, full downloads are the only sane choice.

Because a user is a sensible, intelligent person who can figure out an install easily. Users are dumb and regularly delete the system32 folder because a LifeHack told them to.

Wait, full downloaders, you mean the mini stub that downloads and installs the program for you, right?I guess I should get used to using program stubs that download and install for me. Most of my games do that already. I just found it off-putting to lose control.

SecondTalon wrote:In a Corporate environment, full downloads are the only sane choice.

Because a user is a sensible, intelligent person who can figure out an install easily. Users are dumb and regularly delete the system32 folder because a LifeHack told them to.

Wait, full downloaders, you mean the mini stub that downloads and installs the program for you, right?I guess I should get used to using program stubs that download and install for me. Most of my games do that already. I just found it off-putting to lose control.

Control of what? Versioning? Everything else you gain more control over, because the window between starting the install and installation being finished is longer.

(and giving users control over versions is exactly the reason IE 6 is still getting supported, but that's another rant for another time)

Everything's dead until it's alive. Man will exist, and then he will die. Just take the ride!

So the Network Admin can push out the install and verify that everyone in the corporation is running the same version so there are no version incompatibility issues. You can do that with pretty much anything.

heuristically_alone wrote:I want to write a DnD campaign and play it by myself and DM it myself.

heuristically_alone wrote:I have been informed that this is called writing a book.

Link wrote:Method 4: let repository maintainers distribute their own packages and use a package manager to deal with installation.

And updates, to state the obvious.

Unfortunately, that's rarely an option with proprietary software, though. Still, having one program that can automatically fetch and install any of several thousand pieces of software with minimal effort was one of the biggest eye-openers when I used Linux for the first time. I'm surprised package managers for Windows still aren't very ubiquitous.

Android might not be fully proprietary, but the Google Play Store obviously offers the same experience, as does the iOS app store. But if system-wide updating isn't a part of the deal, it's useless, which means you need to have universal buy-in from the developers, which means it has to be baked into the OS in a way that's nearly mandatory. The Windows Store is presently useful only as a punch line, but it's going to have to metamorphose into Windows's "package manager" somehow; everything is there but the software. Obviously, there's also a lot of fuss right now about the kinds of limitations that MS should impose on applications distributed this way.

Having a choice of software channels and repos seems particularly unlikely - which is unfortunate, really. There's a lot of incentive for the operating system vendor to make the software store closed and locked in to their own distribution channels, but if third-party sources are supported in the store, of course, the user can manage packages all in one place, all software can be updated together as a set, etc. As it is, there is and there is going to continue to be quite a lot of software on Windows that doesn't come from the Windows (or Apple) store, and updates can't be managed sanely for those applications.

App stores are about as close to repos as commercial platforms can get. Even in Linuxes, there are exactly two kinds of repos for any given platform - the OS distributor's, and individual repositories for individual pieces of software. A third-party repo or store meant to offer a variety of software from different projects would make very little sense and very little impact.

The vast majority of Linux software is handled through package managers, although some software will be offered as a system-appropriate package archive format (equivalent to Android's dpk and things) and a small fraction of those will effectively be the "downloader" rather than the actual package in question. What's really happening there is that the archive is really just adding a third-party software repository instead of installing the package, and then the system installs the software from the repo.

I think Firefox is the default browser for the majority of desktop Linuxes, so it's kinda beside the point in the particular case.

So much depends upon a red wheel barrow (>= XXII) but it is not going to be installed.

Copper Bezel wrote:App stores are about as close to repos as commercial platforms can get. Even in Linuxes, there are exactly two kinds of repos for any given platform - the OS distributor's, and individual repositories for individual pieces of software. A third-party repo or store meant to offer a variety of software from different projects would make very little sense and very little impact.

That's not as true as you might think: there are plenty of community-driven repositories, often for a single theme but occasionally even completely generic. The level of support for such repositories varies per repository and per distributor, and I guess in some cases it would even fit in a somewhat broad definition of being one of the OS distributor's repos, but that's not nearly always the case.

As an example, on Gentoo, you can easily use the tool layman to add extra repositories (or overlays, as they're called in Gentoo). At the moment, it indexes nearly 450 such overlays, of which the vast majority are collections of packages for which an individual user or developer has decided to write ebuilds -- neither single-package overlays nor officially supported ones, but still sensible. The degree of impact does tend to be somewhat low, but there are some quite popular ones. In any case, what I'm trying to say is, don't discount community-driven generic repositories!

I think web downloads have become so common as a method of privacy prevention. It used to be common (and there's probably still youtube tutorials) to download a trial installer, unpack it, and figure out how to install manually in such a way that it never asks you to upgrade or checks time limits. An integrated download+install makes that harder to do.

Mikemk wrote:I think web downloads have become so common as a method of privacy prevention. It used to be common (and there's probably still youtube tutorials) to download a trial installer, unpack it, and figure out how to install manually in such a way that it never asks you to upgrade or checks time limits. An integrated download+install makes that harder to do.

For totally free software (Flash, Java, most-if-not-all Browsers, free versions of AV and anti-Malware tools, etc), it's not as if there's any "30 day trial" aspect to them, for which they need to do something tricky to prevent "This was installed already, on <Date>" records to be hidden somewhere in the Registry, or else send a some unique but consistent machine ID back-to-base to match against previously sent "I am installing on ID#<foo>" records as a way to pick up 'cheaters' that can't so easily be circumvented/negated for a 'perpetual trial period' or something.

Obviously vendors would like to know about each and every installation (even if only for some kind of electronic 'demographic' collation of end-user samples), so that they can work out how best to monetise their 'free' products, and/or better convert them into the paid-for versions by properly targeted advertising/pesterware. But they should not take this for granted (or make it more than a token amount of difficulty to get around), lest they alienate the honest-but-somewhat-averse-to-comply users.

For example, right now I've got one machine (this one) connected up to the Internet and two more machines currently running (and doing their own thing, one is basically a media player and another is a development machine which is currently on at least test 468,092,106 of... an unknown number... through a scripted test cycle for some basic simulation I'm looking for an optimal solution for) which I don't make online.

I have no interest in putting them online right now (one does not even have AV because it makes no sense, the other one is somewhat out of date, and will remain so until I make that my first priority the next time I connect it) and they have purposes that don't require them to be. It'd be nice to have the PDF Reader on the development machine (because of some reference documents) but its not vital as it's actually better to open the same/similar documents on this machine's screen (for glancing reference, if not the ease of cut'n'pasting examples), so I don't bother to look for the stand-alone installer for said program from Adobe, on this machine, put it on a USB drive and plug that into the other...

I am not inclined to string a spare ethernet cable in that machine's direction, plug it in (update its AV, as the very first action) fire up its browser to download the mini-bootstrap installer that then discovers (as I could have told it) that it needs to download whatever version of software is suitable for a 32-bit XP SP3 installation (probably it only cares about it not being 64-bit, and that it's generally Windows rather than any other of the possible OSes).

As it happens, I probably have an Adobe Reader stand-alone installation executable (maybe not the most recent version, by several version-points, but good enough for what I need) on one of my USB sticks anyway, because I've accumulated a number of such executables (and 32/64-bit versions of each, etc, where available) that I trust so that I can upgrade/repair both freshly installed and freshly repaired machines with trustworthy versions of such software even prior to being confident that they are problem-free enough to connect up to the Wild Wild Web initially/again.

And the companies who don't let me easily 'stock' their installers in an offline manner are thus effectively losing my business (and/or that of my 'customers'/'clients', as they might be termed if it were actually paid-for help that I give). I'm less likely to install (say) an AV program that demands internet access to get its first (free, minimal) copy on the machine... although I have to admit that none of my favoured vendors in this field are quite so bad as other vendors supplying other products.

So, anyway, although they may be getting more bang for their buck out of the rest of the (less paranoid) user-community who just go and unthinkingly drag down their mini-installer that provides the vendor with opportunities to better monetise the 'free' installation in some way, if they inconveniently hold back the availability of stand-alone installers then they've lost the opportunity for my 'sneaky' offline installation to eventually morph itself into a "Yes, please, I'd now like the deluxe paid-for subscription version" opportunity, by the end-user... or whatever it is that they're expecting by providing it 'free' in the first place, even if it's just brand-loyalty.

(Plus, particularly with security tools, it's nice to know that, with the software I'm installing in order to identify potential malware on a suspected infected system, I'm not subject to any sneaky falsification of the computer's own DNS/host records into sending us off through some .ru domain 'gateway' that provides me with a 'fixed' version of all the usual security tools by download. If it's on my stick, it's very likely a true version and the chances of the malware that is already there having the wherewithal to infect each and every tool and universally patch-them-to-'work'-on-the-fly anyway is slimmer than that of a secret proxy/MITM server provides more and more carefully-tailored versions of 'false negative' versions, at the whim and as per the ability of the malicious maintainer. Not that I suggest that this is the main reason, but it's another factor.)

Yeah, I think "privacy prevention" was the correct turn of phrase. You're right that it wouldn't really offer any extra protection against someone cracking the distributable, but it would give the server a chance to confirm that this piece of software was definitely installed at this IP and things. For the strange and elusive monetization properties of freeware and other nonfree software that is free, that information could be valuable.

Meanwhile, not getting installed on the dedicated, network-isolated controller machine for your centrifuge farm doesn't hurt any revenue streams for software using that model, either.

So much depends upon a red wheel barrow (>= XXII) but it is not going to be installed.

Not just for me and just for my own centrifuge-farm, no, but (right now) I don't see any point in PDF Readers other than Adobe's own product (they're all free, SFAIK, and while I think I recall FoxPro/something-similar as another brand that I've some people and businesses use, I don't know of any advantage of not using Adobe's version if I can... albeit that I don't).

I currently bat for Adobe, though, and although I don't keep so much of an eye on information regarding security exploits as I used to do (for my job at the time), I generally trust the basic functionality of their PDF Reader over any of the other PDF Readers that might be in the market, and I think I know enough to make sure that anyone who needs a PDF Reader has the Adobe version on their machine, one way or another.

But if I had the need right now (and I don't, so I'm not checking) to get an updated copy of an off-line installer for the very specific purpose of installing upon an offline machine (either the two of my own, as discussed, or because a friend of mine needs my help and for some - very strange - reason they need PDF-reading ability prior to their machine being put back online) and Adobe refused to give me any offline installer, then I'd immediately start looking elsewhere, and maybe quite soon I'd appreciate something about a rival product that flipped my mental switch and suddenly I'm the one suddenly spreading the ubiquity of "NotAdobe PDF Reader" everywhere I go, eroding Adobe's 'business' model for their product.

I'm not exactly a powerful driving force for any particular product, but I do hold in my hands a multiplicity of 'computer futures' to add to/reinforce any company's market shares... I don't make paid/unpaid-for YourTube broadcasts extolling the benefits of a product to millions of potential consumers, worldwide, but I've probably started hundreds of 'loyal' users on a route that they (or I) might have avoided setting off down, otherwise, if another vendor's clever(er) product placement or high-ranking in Google had managed to persuade me/my contacts otherwise...

(PDF-reading, here, is just an easy placeholder for any other function of software I could mention, that sits with this "free but possibly inconvenient" scenario. I know that there will be a better solution for this, but currently the 'ecological niche' of 'best PDF software', that is being spread in my own wake, is dominated by Adobe. This post is not intended as an advocate of Adobe, although until someone posts otherwise with some good arguments it will, at least temporarily, be one. The 'better' point, from Adobe's (or A.N.Other's) POV would be if that I'm likely to send people to Adobe's (away from A.N.Other's) full-on commercial PDF-writer; except that is somewhat undermined by the fact that I'm a freeloader who personally tends to use OpenOffice/LibreOffice's "Export to PDF" function, on the few occasions these days when I've had need to create such a document, recently... but without that option (something Adobe has little power over) my need would have definitely made me pay for Adobe's solution (which I've used in a previous job), before even checking for a sneaky-clone-version with reduced/no cost, because I go with what I know.)

...so while I don't flatter myself that I'm making immediate (in locality, nor in time) differences to the bottom-line of any particular company's business model, I do have an immeasurable but non-zero influence that, if replicated across a likewise difficult to measure but not insignificant number of similar individuals with a similar mindset, can so easily contribute to adding/removing a significant share of their userbase/revenues/stock-price/secret-volcano-lairs.

And that's the most powerful I've ever felt! My vote in an actual real-life election might (and does) just get lost and seemingly might as well never have been cast, but now I have convinced myself that I hold the future of the all worlds' software companies in my hands, a few key-presses here and there... I now need to go and lie down, through the shear exertion at influencing the world. *phew* (Now, quickly, how do I get paid for this product-placement? Before someone comes along and persuades me and everyone else that ClonePDF-Reader/whatever is by far the better solution... )

I don't exactly know to what extend this is still relevant and true, but it used to be possible to create macro-like scripts in PDF's that Adobe's reader was happy to execute, with all security risks involved. The alternate PDF readers simply didn't execute those scripts and thus did not have those risks. I have never seen a PDF that actually used those scripting features, although I have heard of them being used as an entry point for malware. Even if the alternate PDF readers execute scripts nowadays they probably use a different engine with different security holes. Thus the Adobe targeted malware may not work.

Also other PDF readers usually have less memory footprint. Adobe's reader is huge, slow and crash prone compared to Foxit, for example.

Having said that, Adobe's reader is pretty much guaranteed to work with the PDF, since everybody that creates software that writes PDFs will test it on Adobe's reader. And not on Foxit.

Mikeski wrote:A "What If" update is never late. Nor is it early. It is posted precisely when it should be.

Pet peeve: please don't conflate gratis with free. Adobe's PDF reader may not cost money, but it's decidedly not free. I mention this because I'm part of a fairly large crowd of people who'd prefer to use a slightly inferior product (in terms of features) that's free as in speech to a superior one that's only free as in beer.

Barring conflated scenarios, I'm simply not going to install Adobe's PDF reader on any systems I own, because 99.9% of all PDFs work absolutely fine with most of the free (as in freedom) alternatives. And in the conflated scenarios where I would need to install Adobe Reader, I aim to misbehave make a heck of a fuss about it.

commodorejohn wrote:That said, there's any number of reasons not to use Adobe Reader.

Indeed, I'm aware of the gist of many of them, and on balance if I were starting from scratch I'd probably head off and use Foxit (I knew it had a fox in it somewhere!) until/unless I found it had a problem. And I generally do try to avoid being the low-hanging fruit, on the security/exploit front, so this is somewhat an exception to the "don't use what they expect you to use" approach...

Using Adobe Reader as an example was just... an example. Plucked out of the air. I could have mentioned others, but it was the thought process and the issue of whether revenue streams were helped/hurt by my own particular enforced isolationist attitude towards software.

(I could have instead mentioned that I don't buy games that need online activation, because I'm an asocial gamer but even for single-player mode (sufficient to entertain me, usually) various games require connection to Steam or other servers to authenticate and yet my gaming machine is also offline. I avoid buying games where I see, in the shop, that the packaging states online activation is required. I still buy the games that I buy (tautologically!), and maybe I'm missing something by not being able to play Sims 3 (whilst I happily might go back and play Sims 2 with their legitimate activation codes within their packaging), but then again maybe not. It seems a lot of games seem to be premièred on consoles, these days, so I'm already behind the curve with my consoleless household and I can quite clearly survive not dipping into and playing any GTA later than San Andreas, etc...)

commodorejohn wrote:You can't dictate other people's word choice when that is absolutely a valid meaning of "free."

That said, there's any number of reasons not to use Adobe Reader.

This. I'm well aware of the distinction, but "free" as in "costs no moneys" is a ludicrously common usage. Trying to stamp it out is a futile task.

I generally prefer stuff that is pretty open, but...it depends. If the security is also annoying, it ends up swiftly escalating how much I care about it. If it's fairly transparent, meh. I don't usually like things requiring internet access, but I *do* usually have internet access.

It's an important enough distinction that I don't generally use the phrase "free software". "Open source software" and "freeware" are both short and generally unambiguous, though of course I still had to specify "freeware and other nonfree software that is free" for clarity earlier on.

At the very least, it's important enough to be unambiguous in context of this discussion. I mean, this is a discussion specifically about how things are distributed and monetized, and those are very different models for that.

So much depends upon a red wheel barrow (>= XXII) but it is not going to be installed.